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‘ll Author Topic: How about SSL support (Read 71659 times) 


0 Members and 1 Guest are viewing this topic. 


Anonymous > How about SSL support 
ease « on: April 03, 2006, 04:52:59 PM » 


Great little program..just wondering if you could make it a little more secure by adding an 
option for HTTPS? 


Thanks! 
BH Logged 
O blueeagle69 SSL 
p « Reply #1 on: April 18, 2006, 05:46:50 AM » 
Occasional poster 
z Hi. 
TRAGE 
rn You can use STunnel. 
Posts: 9 
2 It works great. 
Just Google for "STunnel" 
Hope this helps. 
call Logged 
Azag Re: SSL 
Guest « Reply #2 on: April 21, 2006, 04:13:58 AM » 
u 


Quote from: "blueeagle69" 
ee 

Hi. 

You can use STunnel. 

It works great. 


Just Google for "STunnel" 


Hope this helps. 


blueeagle69 could you show me some proof that you got this to work (HFS using STunnel.) 
It would save me time in setting it up and finding out that it isn't working if I try again. @ 
troll: A screen shot or link of a site running with this would be nice. Maybe you could write 
a little tutorial on how to do it successful, that is if you have tried this. Still though without 
some proof I have a hard time believing this would work no offense. @ 

Even if it could to me it seems hardly worth the trouble unless maybe you run an e- 
commerce type site or want more privacy or added security. I have tried experimenting 
with this in the past with HFS, STunnel, OpenSSL and made a working certificate (.pem file) 
and had no success even with STunnel tutorials I found. :? 


Peace, 


Azag 
St Logged 
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SSL 
« Reply #3 on: April 21, 2006, 08:43:11 AM » 


Hi 
I originally used STunnel with Abyss webserver. 


Go to http://www.stunnel.org/pem/ and create a free SSL Certificate. Copy this to the 
STunnel main folder, This certificate should be called STunnel.pem. 


Then edit the STunnel config, and find these lines. If they are not there, then simply create 
this section. If they are there, they may be remarked out by default, so remove the 
remarks. It should read exactly as below 


[https] 

accept = 443 
connect = 80 
TIMEOUTclose = 0 


Change the connect line to match your server port, and change the accept port to 
whatever port your URL connects to. It is best to leave it at the default though. 
Next, I recommend loading HFS first, then STunnel last. 


Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and 
create a DynDNS account. 
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to 
another DynDNS webhop. 


I would send you a screen grab, but my mate who normally connects to my server is on his 
hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon. 


Anyway, here is my address. See if you can connect to it. 
It will be pasword protected, but at least you can see the server login, with a bit of luck. 
Hope this helps you. http://blueeagle.webhop.org 


al Logged 


&> How about SSL support 
« Reply #4 on: April 21, 2006, 10:33:54 AM » 


At your login page it is shown as http://blueeagle.webhop.org not 
https://blueeagle.webhop.org 


al Logged 


Hi 
« Reply #5 on: April 21, 2006, 11:03:12 AM » 


Yes, thats correct. 


The first URL re-directs you to the secure URL. 
Your attempt was picked up both by STunnel and HFS! 


al Logged 


Re: Hi 
« Reply #6 on: April 21, 2006, 11:05:01 AM » 


Quote from: "blueeagle69" 
Yes, thats correct. 


The first URL re-directs you to the secure URL. 
Your attempt was picked up both by STunnel and HFS! 


It re-directs you to https://blueeagle69.dyndns.org, which is the secure one. 


Look on the bottom left of the browser window, in Explorer's case, and you will see the 
address you are re-directed to. 


St Logged 


> How about SSL support 
« Reply #7 on: April 21, 2006, 01:23:02 PM » 


@ SNS 


Blueeagle69!!! You made my day!!! :happy: 


Stunnel works perfectly on my machine now. edit: And no admin rights reqired & no 
messing around with the registry :twisted: 
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2006.04.21 20:31:19 LOG7[3432:556]: htt, ting 127.0.0.1:80 
"The web was made for 2006.04.21 20: 19 E A EEE eee 10 seconds 
sharing..." 2006.04.21 20:31:19 LOG7[3432:556]: connect_wait: connected 
= 2006.04.21 20: 19 LOG7[3432:556]: Remote FD=280 initialized 
pes 2006.04.21 20: 19 LOG7[3432:556]: TCP_NO DELAY option set on remote socket 
2006.04.21 20:31:59 LOG7[3432:2696]: https accepted FD=304 from 10.0.0. 150: 1207 
2006.04.21 20:31:59 LOG7[3432:2696]: Creating a new thread 
2006.04.21 20:31:59 LOG7[3432:2696]: New thread created 
2006.04.21 20:31:59 LOG7[3432:2276]: https started 
2006.04.21 20:31:59 LOG7[3432:2276]: FD 304 in non-blocking mode 
2006.04.21 20:31:59 LOG7[3432:2276]: TCP_NO DELAY option set on local socket 
2006.04.21 20:31:59 LOG5[3432:2276]: https connected from 10.0.0. 150: 1207 
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): before/accept initialization 
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 read client hello A 
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 write server hello A 
2006.04.21 2 LOG7[3432:2276]: SSL state (accept): SSLv3 write change cipher spec A 
2006.04.21 21 LOG7[3432:2276]: SSL state (accept): SSLv3 write finished A 
2006.04.21 2 LOG7[3432:2276]: SSL state (accept): SSLv3 flush data 
2006.04.21 21 LOG7[3432:2276]: SSL state (accept): SSLv3 read finished A 
2006.04.21 21 LOG7[3432:2276]: 1items in the session cache 
2006. 04,21 2 LOG7[3432:2276]: Oclient connects (SSL_connect()) 
2006.04.21 21 LOG7[3432:2276]: Oclient connects that finished 
2006.04.21 2 LOG7[3432:2276]: Oclient renegotiations requested 
2006. 04,21 20:31:59 LOG7[3432:2276]: 7 server connects (SSL_accept()) 
2006.04.21 20:31:59 LOG7[3432:2276]: 7 server connects that finished 
Thank you for pointing me to stunnel (had tried it years ago, but never thought about to 
use it for extending HFS with https/ssl. 
This combination now makes HFS a real killer! 
As soon i've tested it completely, i will provide a non-tech manual in the wiki. 
Edit: If you are behind a router, don't forget to forward port 443! 
Rejetto: Does it make sense to lower the priority for SSL-support for HFS in your To-Do list? 
BTW stunnel is open source & GNU 
al Logged 
~GeeS~ 
| rejetto & How about SSL support 
Po « Reply #8 on: April 21, 2006, 01:24:23 PM » 
Administrator 
Insane programmer 
GOGO i never meant to work on it soon, so... @ 
al Logged 
Posts: 12392 eke 
blueeagle69 SSL : 
j « Reply #9 on: April 21, 2006, 01:35:30 PM » 
Occasional poster 
You are very welcome. 
TRAGI 
ho Glad I could help! 
Posts: 9 aa Logged 
& 
deisler How about SSL support 
« Reply #10 on: April 25, 2006, 06:57:39 AM 
Guest i, 
Hi, i've got mine working too. except i can't seem to login successfully. main page works 
and public folders work under https and it'll always auto direct to https, but if to login it'll 
go back to http! how do i direct this to https? sorry if i'm not clear on my question really 
don't know how to put it into words. 
al Logged 
maverick How about SSL support 
« Reply #11 on: April 25, 2006, 10:43:00 AM 
Insane poster a 
deisler 
7 Does your login IP address start with http or https? (it should start with https). 
sataan You could also create a normal DynDNS account and have that account re-direct to another 
Posts: 1052 DynDNS account which would be setup as the secure one. 
Computer Solutions H Logged 
Q 
àt 
maverick 
|] ~GeeS~ How about SSL support 
i « Reply #12 on: April 25, 2006, 11:45:59 AM 
Tireless poster X 
Z Quote 
"$ ee 
: main page works and public folders work under https and it'll always auto direct to https, but if to 
login it'll go back to http 
Ranta. aca 
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"The web was made for 
sharing..." 


a 


maverick 


Insane poster 


Same problem here! Didn't had the time to do some testing on stunnel in combination with 
HFS. 

Did already as Maverick suggested and more ... still the same result: 
https://10.0.0.150/~login either from browser command line or template either 
href="/~login" or href="https://10.0.0.150/~login" didn't work: 

The authorization dialog appears and you are kicked back to http://... 

But, then enter https://10.0.0.150/doesnotexist/ the error page appears, press "home" 
and you are. Or enter https://exist/ idem. 

Maybe a caching problem? 

Maverick, deisler which versions of stunnel and openssl dll's are you using. 

I tried & errored the last few days to create my own private key/certificate pem-file and 
used different compilations instead of the default one's, succesfully @ 

Thought that all problems were solved and just started to write a short manual. 

Oh, btw testing on intel, xp SP2, IE, no admin :roll: 

precompiled stunnel 4.15, openssl probably 0.9.7i (0.9.8a crashes stunnel 4.15 .exe) 


Strange logs in HFS 


Code: [Select] 


[size=9]2006-04-25 19:53:16 Guest@127.0.0.1:1798 Sent 2038 bytes 
2006-04-25 19:53:16 Guest@127.0.0.1:1798 Served 1.79 KB 
2006-04-25 19:53:16 127.0.0.1:1797 Got 509 bytes 

2006-04-25 19:53:16 127.0.0.1:1797 Requested GET /~img10 
2006-04-25 19:53:16 127.0.0.1:1797 Request dump 

> GET /~img10 HTTP/1.1 

> Accept: */* 

Referer: https://10.0.0.150/Project%*20SSL/teststunnel/ 
Accept-Language: nl 

Accept-Encoding: gzip, deflate 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 
Host: 10.0.0.150 

Connection: Keep-Alive[/size] 


Ye ee ee 


Guest@ dropped?! 
In the next hours i'm online edit:[removed] port 80(http) and 443(https) 


btw the files you find are just for testing you may download on your own risk pem's and 
privatekeys are just defaults 


al Logged 


~GeeS~ 
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« Reply #13 on: April 25, 2006, 02:21:06 PM 


> 


After testing HFS with stunnel i come to the following conclusion: 


1. HFS with stunnel works perfectly @as long as the ~login command is not used. In 
order to enter a protected resource, the user:password dialog pops up and after entering 
the right credentials, (https) access is granted. This is the expected behaviour, nothing 
wrong! 


2. Use of https://site/~login after entering the user:password replies with http://site 
without recognising the user. I guess this login command is implemented differently than 
the "normal" user:pass dialog. 


3. If yes, and if it can't be fixed, it would not be a disaster, because working according to 1. 
would do the job perfectly. 


4. But ... i tried to adapt my filesystem to 1. and found that after being looged in as user A 
for resource A a protected folder for B was not visible anymore. Unfortunately, the option in 
the menu "Visible only for anonymous users" wouldn't do the job. Shouldn't it has to be 
"visible for all user". Now i understand the many question of users asking for logout. 

If it was visible for all users you could just log in with the other account. 


Maybe i missed something... did to much testing on stunnel last days. 
BH Logged 


~GeeS~ 


How about SSL support 
« Reply #14 on: April 25, 2006, 04:10:44 PM 


> 


deisler and ~GeeS~ 


Don't know why you are having login problems. I'm not doing anything different now than 
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I did with just HFS running and everything appears to be working just fine. I don't, 
however, and never did, use http://site/~login or https://site/~login for logging in. Just 
http://site with just HFS running and https://site with HFS and STunnel running. 


I don't have any problems moving from folder to folder, uploading or downloading - https is 
always active as it should be. 


I'm running STunnel v4.15 and openSSL v0.9.7i with HFS v2.0 Final. Operating System XP 
SP2. 


The machine I'm running HFS and STunnel on isn't behind a router. 

Check your template. Maybe you have something in there calling a http://server-related- 
link which would likely cause a switch from https to http because they would both be valid 
addresses from your server. But in this situation you would probably have to login again 


to access the http IP address. 


Here are a few examples confirming that HFS & STunnel work together in all major 
browsers.....@ 


Opera... 


Netscape... 


FireFox... 


Internet Explorer... 


at Logged 
maverick 


PRINT 
« previous next » 


rejetto forum » Software » HFS ~ HTTP File Server » How about SSL support 


SMF 2.0.6 | SMF © 2013, Simple Machines 
XHTML RSS WAP2 


http://www. rejetto.com/forum/hfs-~-http-file-server/how-about-ssl-support/?PHPSESSID=23io8uju4spaei0uktng9b61d2 5/5 


